Asus Device Discovery Version 1.0.0.1.13 on macOS: Local Code Injection.
A malicious application with standard user permissions could potentially run code execution within the application's process by injecting libraries through DYLD environment variables, allowing it to execute unauthorized actions while appearing to be part of the legitimate ASUS Device Discovery process.
Vendor / Vendor Homepage:
Asus / asus[dot]com
Affected Products:
Asus Device Discovery version 1.0.0.1.13 and earlier on macOS
Fixed Version:
Asus Device Discovery version 1.1.18
CVSS Score:
4.8 Medium CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/U:Green
References:
-
YoKo Kho
2024–01–21 — Vulnerability reported to Asus via official website — https://www[dot]asus[dot]com/securityadvisory/.
2024–01–31 — Asus conveyed that the issue had been fixed and asked for verification.
proof of email: https://miro.medium.com/v2/resize:fit:1400/format:webp/1*_su-EofqWRrAyN2UsR_6qA.png
2024–02–05 — Due to certain circumstances, the HakTrak Cybersecurity Squad only confirmed on the 5th that the exploit could no longer be reproduced. HakTrak also requested a CVE to Asus.
2024–02–06 — Asus reconfirmed the possibility of the issue still being reproducible and asked for a draft of the advisory that we would use to request the CVE.
2024–02–06 — The HakTrak Cybersecurity Squad again confirmed that the exploit could no longer be reproduced. On this occasion, the draft report, which was intended to be sent to Mitre, was provided to Asus.
2024–03–20 — The HakTrak Cybersecurity Squad sent a confirmation request to see if the draft was approved.
2024–03–21 — Asus replied that the draft had been approved and requested that the CVE number and the publication date of the advisory be shared once available.
proof of email: https://miro.medium.com/v2/resize:fit:1400/format:webp/1*prQcJE0teYfkQE5_F2ZW-Q.png
2024–11–13 — Advisory has been released.
